MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4
SHA3-384 hash: 8440a660b5d4c6385a6f4e834a29fcce3abf41eba1288703a678f1bd8fcf4b4b5808e5c33acc5e586c7f97e3b7d86173
SHA1 hash: a716058a8112c8712a7c89e2d40006e68eab190a
MD5 hash: c6a32a2d9bd7b31a9be01eb00e261c3c
humanhash: nine-sink-blue-sad
File name:#QUOTATION 498341.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'153'408 bytes
First seen:2021-12-27 00:16:37 UTC
Last seen:2021-12-27 01:43:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:jE5JvjWSkL+wCb99Nnov/6DS3LGji3FcOV:/N
Threatray 597 similar samples on MalwareBazaar
TLSH T1DFE5512C20DB8CC6408C9D7CD5F5196D32777A004749DB4B92AFAC9DD542AC8F42EEAB
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
#QUOTATION 498341.exe
Verdict:
Malicious activity
Analysis date:
2021-12-27 00:18:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17aba8e9-f0eb-4d91-ac0f-c5c6db5aecb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/216468/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.12720.20122.27375.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a service
Creating a window
Changing a file
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a single autorun event
Blocking the User Account Control
Moving of the original file
Forced shutdown of a system process
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/61c906008991ba72b399ffe7/reports/f1464348-c06c-4aa4-be3f-aac9efbc7e3d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0b14086-015f-459f-8600-49bc33b3708b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/912984
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide user accounts
Creates an autostart registry key pointing to binary in C:\Windows
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 545462 Sample: #QUOTATION 498341.exe Startdate: 27/12/2021 Architecture: WINDOWS Score: 100 75 api.telegram.org 2->75 79 Multi AV Scanner detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected UAC Bypass using CMSTP 2->83 85 18 other signatures 2->85 10 #QUOTATION 498341.exe 6 11 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 49 C:\Windows\Microsoft.NET\...\svchost.exe, PE32 10->49 dropped 63 3 other files (1 malicious) 10->63 dropped 95 Moves itself to temp directory 10->95 97 Creates an autostart registry key pointing to binary in C:\Windows 10->97 99 Writes to foreign memory regions 10->99 101 Disables UAC (registry) 10->101 21 ngentask.exe 10->21         started        24 224f5cca-f69d-4b04-a5c1-e4dd6614ef02.exe 44 2 10->24         started        26 powershell.exe 26 10->26         started        28 7 other processes 10->28 51 C:\Windows\Temp\yynguqb0.inf, Windows 14->51 dropped 53 C:\Windows\Temp\qxoosst5.inf, Windows 14->53 dropped 65 2 other files (none is malicious) 14->65 dropped 103 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->103 105 Adds a directory exclusion to Windows Defender 14->105 107 Injects a PE file into a foreign processes 14->107 55 33174aa2-0ea4-4c34-93ca-917659f0e45c.exe, PE32 16->55 dropped 57 C:\Windows\Temp\oi2bfipw.inf, Windows 16->57 dropped 59 C:\Windows\Temp\3xmbtleg.inf, Windows 16->59 dropped 61 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 16->61 dropped 77 192.168.2.1 unknown unknown 18->77 109 Changes security center settings (notifications, updates, antivirus, firewall) 18->109 file6 signatures7 process8 signatures9 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->87 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->89 91 Tries to steal Mail credentials (via file / registry access) 21->91 93 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->93 30 PkgMgr.exe 24->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 3 other processes 28->42 process10 process11 44 Dism.exe 30->44         started        file12 67 C:\Users\user\AppData\...\WimProvider.dll.mui, PE32 44->67 dropped 69 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 44->69 dropped 71 C:\Users\user\...\UnattendProvider.dll.mui, PE32 44->71 dropped 73 49 other files (none is malicious) 44->73 dropped 47 conhost.exe 44->47         started        process13
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-12-27 00:17:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gzvr34iqsyekirfcwd6kcxf3fpgqpm2ubtivfoxnmuaykvxt6psa._file
Verdict:
malicious
Similar samples:
21c97688730d666e13f8b52aeec94371b7996cef7afcd2dd80d0ea1b76b5f3ec
AgentTesla
2443683c507125b6d089b3537e9cb78ef67f0dd8ba5822a7a7ee78ca84feeba8
AgentTesla
2ac91449fd255e02594e29de0f1c66c70fb0ba1af3dd87846ffe3e21503ffb4d
AgentTesla
575abacc5769a079c29e1b1032853673df77376f6b6522b00edbd1b1531a1af0
AgentTesla
750adca8e434c3d8cd88be58d28d842b862f6be645ab4b86fef5b6268da9d187
AgentTesla
7d6aee416fbfdfd3dd7cd2661c7f232f00dc6200ea3ca6cb67193bbe2979eac0
AgentTesla
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
AgentTesla
de84340eef0ca9f002d25e7a0ffdc5be906a2b0852c728008b9ac6928c3e7259
AgentTesla
+ 587 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211227-ak2saaaefj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
Nirsoft
AgentTesla
UAC bypass
Windows security bypass
Malware Config
C2 Extraction:
https://api.telegram.org/bot2030557675:AAF2CRvHF_rfT7tYXz9VN8YUb6kF5qxu_xg/sendDocument
Unpacked files
SH256 hash:
bbeb8f9b95cc39033674b58fdc34dffacb8d03ebaf6e5288f0f7170a273abbf7
MD5 hash:
60dc23ace2a98b8b77eabde173016a64
SHA1 hash:
d202ac0403316025c2cf41c67caf996b2b954da0
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
SH256 hash:
3da80bd8e18bf2ef5e28f5e2e0d2095b0d4e65391800ce18f9a18859d7beb220
MD5 hash:
5dbed7594d4c8d71c1882692e6776bf0
SHA1 hash:
8552a2f2afca501945fe57c1875970b6f777f709
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
SH256 hash:
9ccd0addfa25dd4c2d96d64a18c12f644ddfc0df1abce1ea15c44a623f7eb6ae
MD5 hash:
11157af031c0146a3cbbf746405d8ad4
SHA1 hash:
7e3d188539baaf41282371415b87bc8ccce55e96
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
SH256 hash:
a1477f3ea7f259bb332d1938d285510cd720c71287d7f1fa9402f1596a356e9e
MD5 hash:
d6556bbc1a539f88ce3b0c11d2f50ff9
SHA1 hash:
1d44461d76a3746e51fff87fbe2842a4574fda31
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
SH256 hash:
70b785e5cb5b2e61c0f5da4a71ab0bbd14d9a0849387f037e0d75cc1ffe0a082
MD5 hash:
5951b52c9b4d11ca7f4f33e5a3fb2c31
SHA1 hash:
0bc54fd699fff7b93e5c447a141c0d904924ab0d
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
SH256 hash:
366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4
MD5 hash:
c6a32a2d9bd7b31a9be01eb00e261c3c
SHA1 hash:
a716058a8112c8712a7c89e2d40006e68eab190a
Link:
https://www.unpac.me/results/b74dcc3f-bf32-415e-920a-fcb41f1f7ffb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 366b1df1109608a444a2b0fca15cbb2bcd07b3540cd152baed65018556f3f3e4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/216468/

Comments